API vulnerabilities costing businesses up to US$75 billion annually
An API is the invisible connective tissue that enables applications to share data to improve end-user experiences and outcomes. Over the years, the use of APIs has increased tremendously among businesses hoping to increase traffic to their sites and such.
In fact, the volume of APIs used by businesses is growing rapidly; nearly half of all businesses have between 50-500 deployed, either internally or publicly, while some have over a thousand active APIs. But there is a problem that comes with increased usage and dependence on APIs.
According to a study by the Marsh McLennan Cyber Risk Analytics Center and Imperva, there have been rising global costs for businesses due to vulnerable or insecure APIs. The analysis of nearly 117,000 unique cybersecurity incidents estimates that API insecurity results in US$41 to 75 billion of losses annually.
The study also found that larger organizations were statistically more likely to have a higher percentage of API-related incidents. Enterprises with revenues of at least US$100 billion were 3 to 4 times more likely to experience API insecurity than small or midsize businesses. The data suggests that large companies are particularly vulnerable to the security risks associated with exposed or unprotected APIs as these mature organizations accelerate digital transformation.
Part of the reason for this is that many APIs connect directly to backend databases where sensitive data is stored. As a result, hackers are increasingly targeting APIs as a pathway to the underlying infrastructure to exfiltrate sensitive information. Today, as many as 1 in every 13 cyber incidents can be attributed to API insecurity. As the number of APIs in production multiplies, this figure is expected to grow in the coming years.
The study also discovered substantial disparities between industries. IT, professional services, and retail are most likely to suffer API-related security incidents compared to healthcare and educational services.
Karl Triebes, SVP of Product Management & General Manager, Application Security at Imperva pointed out that without a strategy for addressing API security, businesses around the world will continue losing incredible sums annually. Triebes believes that to mitigate the growing volume of API-related security threats, organizations need the ability to discover all the APIs in their environment and to understand what data is flowing through each API.
So with API vulnerabilities on the rise, what can businesses do to deal with the problem?
Among the recommendations for improving API Security, Imperva suggests businesses first identify and classify their data flowing through every API. As visibility is crucial for understanding the full schema of every API, identifying and classifying the data that flows through it is critical so risks can be assessed.
Apart from that, businesses should also look into automating discovery. APIs are produced quickly and modified often, making them a blind spot for many organizations. Through automation, organizations can eliminate rogue or shadow APIs. Further, by automating API inventory, the security team will have visibility into when developers modify APIs in production.
Enable API governance is another recommendation. For organizations in highly regulated industries, an API governance model is crucial. This is only possible with visibility that extends beyond the API endpoint and into the underlying payload so sensitive data can be adequately protected.
“At the root of every API-related security incident is data. Protecting API requires a mindset shift; one that is focused on classifying data and understanding how data is accessed by every API in production. This approach requires security and development teams to work together to embed security into the development lifecycle. Until then, cybercriminals will continue to exploit vulnerable APIs to exfiltrate sensitive data in greater volumes,” added Triebes.